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A system for generating authorization codes, such as 
personal identification numbers, at the point of distribution of 
certificates <k value on wliich the authorization codes are to 
be printed or otherwise encoded. Because the authorization 
codes are generated In real time, there is no need to store and 
safeguard an inventory of preprinted certificates, or even an 
inventmy of activated authorization codes. The princ^les of 
the Invention apply botfi to systems for generating taoentive 
award certificates and to sy^ems for generating purchased 
certificates of vahie. The incentive awards or certificates of 
value are toloens of prepayment for a service, such as long- 
distance telqshone service or other service. The authorization 
codes generated for inchisicm widi the vahie certificates 
are unique and seemingly random. They are generated by 
taking a non-random unique code, such as a sequ^ice code, 
and encr^rting It to obtain seemingly random, but unique, 
authorization codes. Because each authorization code is 
not ggntratfff until immediately prior to distribution of fiie 
certificate wifii wtdcb the code b a ssociated, security and 
odier problems peitidning to preprinted cerdficates and canis 
are eliminated. 
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METHOD AND APPARATUS FOR GENERATING PERSONAL 
IDENTIFICATION NUMBERS FOR USE IN CONSUMER PROMOTIONS 

BACKGROUND OF THE INVENTION 

5 

This inveiition relates generally to systems for issuing consumer 
promotions, usually in the form of coupons or certificates, in response to the purchase 
of preselected itrais in a retail store, or simply when a customer purchases one of the 
promotions. More specifically, the invention rehttes to systems for issuiiig promotions 
10 or certificates of tite type that reqmres a unique personal identification number (PIN) to 
be conveyed to a customer receiving the item. PINs are printed or encoded on valuable 
certificates awarded to customers and subject to redemption for various promotional and 
marketing purposes. Eadi certificate must be resistant to fraud and must be securc from 
duplication. Thereforc, each certificate's PIN number must be unique and, in general 
f ) IS must be generated rai^omly. Having random but valid unique numbers requires the 

creation and storage of the numbers in databases. Tlie administration of such a database 
becomes very tune consuming* expensive and difficult. Therefore, there is a need for a 
PIN generation tcdmique that eUminates the requirement for creating and maintaining 
a valid PIN database. 

20 More specifically, the prcsent invention relates to the awarding of 

property, goods, services, or rights, at the point-of-sale, based on certain criteria which 
can be measured at the point-of-sale, and where the authenticity of the award can be 
verified at the tune of reden^)tion with the use of a code that need not be established 
prior to the award. While the invention will be described mainly in coimection with the 

25 awardiqg of free lotig distance tdephone service, it is to be undorstood that the princq)Ies 
of the invention are also applicable to providing any award, at the point*of-sale, where 
tlie subsequent voificadon of die award can be accomplished without the need for a pre- 
established list of valid authorization codes. 

A marketing technique that has enjoyed increasing popularity is the 

30 awarding, at the point-of-sale, of a free product or service as an incentive to purchase 
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other products or services. Typical iiiaiketii\g programs offer 5 or 10 minutes of long 
distance service as incentives to purchasing the sponsoring company's product, as 
potential prizes for participating in a marketing contest, or as premiums offered under 
a retailer's frequent shopper loyalty program, or simply as a product for purchase. With 
5 respect to marketing long distance telephone service, there are generally two methods 
employed. One method entails the registration of the consumer and the issuance of a 
telephone "credit card" for which an account is established and is later credited with 
certain dollar amounts of telephone service based on the consumer's actions or 
purchases. Another method is to issue telephone "debit cards" to each consumer meetmg 
10 die requirements of the particular marketing program. These debit cards are generaUy 
pre-authorized in S or 10 minute denommations. The issuance of a debit card does not 
establish an account, but rather is autfiorized for the specified amount of telephone 
service and then becomes useless after the telephone time is exhausted. With both 
methods, the consumer is usually requited to dial a toU-ftee number and provide a 
15 personal klentification number (PIN) m order to activate die free service. This PIN must 
be randomly generated prior to die issuance of the telephone credit/debit card so that 
verification of valid usage can be established prior to granting the free service. 

Witfi each of the processes described above, there is a i«quii«nent that 
a physical card (similar to a consumer credit card) be issued to the consumer. The 
20 manufacmre and delivery of these cards represents a significant e;q>ense and therefore 
can be cost prohibitive in many circumstances. In addition, there are security concerns 
inherent in the manufacture and delivery of the cards since someone other than die 
intended user could easily convert than for dieir own use (especially in the case of die 
debit card smce the PIN is generally preprinted on die card itself). Another Umitation 
25 of the current methods of marketing telephone cards is die fisct that the account and/or 
a PIN must be generated prior to die issuance of a card. This can result in a time tag 
from die time die consumer conq^lies widi the offer and die time at which the telqihone 
service is available (especially widi respect to die credit card mediod). This limitation 
can also cause shortages or excess inventories of cards based on consumer demand 
30 (especially widi respect to tiie debit card mediod). 
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Regaidless of whether a certificate or award' is presented to a consumer 
as an incentive to purchase selected products or simply in response to a request to 
purchase the service that the certificate provides, the difficulties described above have 
inhibited safe and efficient distribution of such certificates. Hie following paragraphs 
5 discuss the problems that apply specifically to the distribution of prepaid service 
certificates, such as prepaid long-distance calling cards. 

Problems first arise at the manufacturing stage. Cards are typically pre- 
printed with the value in dollars or the time in miimtes, in preset amounts, even though 
the consumer may prefa to have a different value or tune. Moreover, pr^rinted cards 

10 have the further limitation that tliey contain fixed important information, such as an 
^'SOO" toll-free number for accessing the service. Access numbers may become 
overloaded and cause inconvenient delays for the user and new access numbers may have 
to be added to meet demand, but there is no convenient way to update this information 
on a pre-printed card. Similarly, each preprinted card has a PIN (personal identification 

15 number) that must be used to activate the card, i.e., turn it on for use. The preprintii^ 
of PINs on the card exposes tte vahie of the card to anonymous and usually untraceable 
theft Qnoe the card is printed, its vahie can be stolen without physically taking the card 
itself. The theft can take place aiiywhere from the printii^ source to the retail outlet. It 
will be apparent that sendiiig these ""live" cards through a supply and distribution process 

20 is firaugbt with security risks. The special handling adds to the cost and difficulty of 
marketing and selling remote value cards. Unsuspecting consumers may purchase carxls 
that are either dqpleted or being used by others purchased illegally. The merchandisiAg 
and sales of tamper resistant cards adds to the cost and effon for everyone. live cards 
with protected PINs must be treated as a near-cash item through the distribution and 

25 rdailing process. As a delivery of cards is made to a store, if it is not kept under lock 
and key or in the cash drawer it may be easily stolen, lost or misplaced. The cards 
thffliselves are very small and easily concealed by unscrupulous employees or shoppers. 
Therefore, suppliers and r^ailers of these cards are exposed to a very large financial risk 
in handlmg the cards. If the value is taken illegally from a card, it is not possible for the 

30 retailer to accept the return or bill back the supplier. 
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One solution is to distribute ""dead** cards instead of ""live** ones. A dead 
card is one Aat has a PIN that must be activated by the retailer before distribution to the 
consumer. Activating preset PINs is veiy expensive, time consuming and error prone. 
Distributinig dead cards witti PINs that require activation is, therefore, inconvenient and 
S is still prone to theft and misuse because some card suppliers preprint and assign the 
PINs in a uniform, predictable or uiq)rotected manner. Dishonest persons may dial the 
access number and rater PINs until Aey successfully access the service, or may look for 
a pattern m multiple PINs, and then resell the PIN and access numbos to different users. 
Another potential problem is that some PIN sequences are purposely short, for the 

10 convenience of die user. This creates a dangerous situation, since a computer dialer can 
more easily pick and decipher short PINs that are not encoded. 

Another proposed solution to the security problem is to use scratch-off 
coatings and removable tape covers over the PINs. This has a limited effect because die 
^live** and vahiable cards can still be stolen and used anonymously by dishonest persons, 

15 anywhere through the supply chain. 

Systems have been proposed in which prepaid cards are sold without a 
PIN. The PIN is activated or attached to the card after is a call is made to a central 
computer that issues PINs. In some systems of this type PINs may be downloaded m a 
batch, and then held until a card is purchased, at which time a PIN is attached to the 

20 prq>rinted portion of the card. Tb& princqral Ihnitation of this method is that a call must 
be made to a central conq)uter to issue a PIN. This slows the down the transaction and, 
in a retail environment, slows down tiie cashfer while the con^mter is dialed and the PIN 
is issued. Further, a dishonest or mattentive cashier could sell or give away the value 
of the PINs. 

25 Some prepaid telephone cards are sold or vended in enclosed plastic 

containers placed in a store display rack. The cashier selling such cards typically scans 
a bar code on the display itself, and a PIN is obtained by placing a call to the service 
provider. This bar-coded activation method fails to prevent fraud or misuse by others as 
the bar codes can be duplicated and used on more than one card. A thief could steal one 
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or more cards and purchase to obtain tbe valid batch code, thus activating the stolen 
cards as well. 

It will be appreciated from the foregoing that prior art techniques for 
distributing certificates or cards redeemable for a valuable service all have practical 
5 difficulties that render the certificates or cards both inconvenient to the consumer and 
vulnerable to fraud or theft. There is a need for a new approach for distributing such 
certificates or cards in a convenient manner without compromising the security of the 
valuable services that are obtained by use of the cards. The present invention satisfies 
this need» as briefly described in the followipg summary of the invention. 

10 

SUMMARY OF THE INVENTION 

The present invention resides in a method for assuring security of 
individually identifiable randomly numbered certificates is accomplished by printmg an 

15 encoded self-validating PIN on each certificate. An encryption method permits the PIN 
to be deciphered when it is presented for redemption. The method enables a greater 
numbw of potential posonal idendfication numbers, in the fimn of PINs, to be generated 
from a limited or fixed number of digits. 

The method mcludes the printmg of an authorization code on die 

20 certificate, which code will subsequently be used to verify die validity of the award. 
Preferably, die method includes die generation, in real time at die point-of-sale in a retail 
store, of seemingly random authorization codes which will be subsequently used to verify 
the validity of the award as well as to provide information pertaining to the location of 
the printing of the autiiorization code on the certificate, which will also be subsequendy 

25 used to verify the validly of die award. 

Briefly, and in general terms, the method of the invention conqirises the 
steps of detecting the occurrence of an event that has been preselected to trigger the 
generation of a certificate of value for distribution to a customer of a retail store; 
generating a certificate of value in response to the detectmg step; generating a unique 

30 and seemingly random authorization code at about the same time that the certificate is 
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generated; and including the authorization code in the certificate. The certiHcate is self- 
validating and has no existence or value prior to its generation and there is, therefore, 
no lequirraient to keep an inventory of either certificates or authorization codes before 
their generation. 

5 More specifically^ the step of generating a unique and seemiqgly random 

authorization code includes fonnii^ a unique code and encrypting it to obtain the unique 
and seemingly random authorization code. The stq) of fomuAg a unique code inchides 
combining a unique sequence number with other codes, and the sbsp of encrypting 
includes combining the unique code with a key code, and positionally rearranging the 

10 code obtained from the combining step, to obtain the unique and seemingly random 
authorization code. The method may also include the step of validating the authorization 
code when the certificate is presented to claim its value, wherein the validating step 
inchides decry[Xing tiie authorization code to recover the uiuque code, and then verifying 
that the unique code is valid. 

IS The stq) of detectmg an event may be either detectmg the purchase of at 

least one triggering product, in which case the certificate is in the nature of a reward for 
purchasing tiie triggering product, or detecting a request to purchase a selected vahie 
certificate, in which case tiie certificate is itself a purchased triggering product. 

In terms of novel apparatus, the tnv^on comprises an in-store computer 

20 to detect tiie occurrence of an event that has been preselected to trigger tiie generation 
of a certificate of value for distribution to a customer of a retail store; a certificate 
gjsxrmc for generatmg a certificate in response to tiie detection of a triggering event; 
and an authorization code generator, for generating a unique and seenungly random 
authorization code at about the same time that tiie certificate is generated; whereui die 

25 autiiorization code is inchided in the generated certificate, which becomes self-validating 
on generation. Because the authorization codes are generated at the time of certificate 
distribution, tiiere is no requirement to keep an inventory of eitiier certificates or 
authorization codes. More specifically, the autiiorization code generator of tfie apparams 
includes encryption logic, for encrypting a unique code to obtain the unique and 

30 seemingly random autiiorization code. The encryption logic includes a code combiner. 
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for combining the unique code with a key code to obtain a first-level encrypted code; and 
code sequence rearrangenient logic, for changing the sequence of digits in the furst-level 
enciypted code, to obtain the seemingly random authorization code. Hie apparams may 
also inchide validation logic* for decrypting the authorization code to recover the unique 
5 code, and then verifying that the unique code is valid. As in the method discussed above, 
the apparatus may be used in two altemadve ways. Specifically, the certificate generator 
either operates in response to the purchase of a preselected triggering product, and 
generates a reward certificate, or operates m response to a request to purdiase a value 
certificate. 

10 Accordingly, besides the objects and advantages of the encryption and self- 

validating PIN system described, several objects and advantages of the present invention 
are: 

(a) to provide an economical system and method for delivering ''value*' to 
consumes, in die form of a promotion certificate that Is uniquely identifiable by 

IS a randomly numbered code, such that the certificate is self validating ami self 

liquidating, meanii^ that the certificate itself contains sufficient information to 
enable the consumer to have the certificate validated and to receive ''value" for 
the certificate in some designated form; 

(b) to provide a system and method for generating randomly numbered certificates 
20 that are fraud resistant, without the need for a pre-approved database of valid 

PINs; 

<c) to provide a unique PIN to be inserted onto a certificate by printing; and 
(d) to provide a system and method that eliminates the need for a special pre-printed 
card for receiving pre-paid services. 
25 Odier aspects and advantages of tiie invention will become apparent from 

the following more detailed description, taken in conjunction with the accompanying 
drawings, which are briefly described below. 



30 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 shows a flowchart of the process of identifying conditions for 
printii^ a certificate and or coupon. 
5 Fig. 2 shows a flowchart of the process of coupon and or phone 

certificate. 

Fig 3 shows a flowchart for the creation of an encrypted pin number for 

a certificate. 

Fig. 4 shows a flowchart for the insertion into the printing instructions of 
10 the encrypted pin number onto the certificate. 

Fig. S is a block diagram of a system in accordance with the present 

invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

As shown in the drawings for purposes of illustration, the present 
invention relates generally to tfie awarding of properQr. goods, services, or rights, at the 
point-of-sale, based on certain criteria which can be measured at the point-of-sale, and 
where the authenticity of the award can be verified at the time of redemption with the 

20 use of a code ttiat need not be established prior to the award. While the invention is 
described mainly in connection with tbe awarding of free long distance telephone service, 
it is to be understood that tfie principles of the invention are also applicable to providing 
any award, at the point-of-sale, where the subsequent verification of the award can be 
acconqilished iKitfaout the need for a pre-establisbed list of valid authorization codes. The 

25 same principles of the invention also apply to the generation of certificates purchased at 
the point of sale by consumers, wherein the certificates are part of a mechanism for 
providing a valuable service to the consumers. The most significant difference between 
a certificate purchased by a consumer and one generated as a reward, is the source of 
payment for the certificate. When it is purchased by the consumer, the consumer pays 

30 for the value of the certificate; when it is distributed as a reward, some other entity. 
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such as a product manufacturer or retailer* pays for the value of the certificate. The 
mechanism for generating the certificate, and in particular the PIN printed on the 
certificate, is the same in both cases. 

In the context of a reward, the invention offers an alternative to ''crats 
5 ofT coupons and fipee product items. Instead, the invention gives customers free minutes 
of lootg distance phoi^ time or other valuable services. More specifically, the invention 
entails the monitorii^ of data diat is transmitted over the point-of-sale computer network 
or ''store loop/ as indicated in block 10. This data encompasses ai^ event that can be 
identified from the point-of-sale system, including but not limited to, die method of 

10 payment, the total price of shopping order, the historical purchase behavior of a 
particular customer, or the Universal Product Codes or other standard code of items 
purchased. These items of data are analyzed to determine if any of them relate to an 
award program currently beiqg promoted. If the data detected on the point-of-sale system 
is a triggerii^ item for a program in the program database 12, then the invention will 

IS commence an awarding process. If not, the coupon or certificate generation steps are 
bypassed, as determuied in decision block 14. In decision block 16, the system 
determines whether all prescribed conditions have been met. A coupon or certificate may 
be defined to be generated only upon the occurrence of multiple conditions, such as the 
purchase of multiple products. If not all of the conditions have been met, the detected 

20 event is saved in a list, as indicated in block 18, and coupon or certificate generation is 
bypassed. 

If it is determined that coupon or certificate printing should take place, 
this function is performed, as indicated m block 20 and further described in Fig. 2. The 
processing loop of Fig. 1 is continued by checking whether the detected event should be 
25 logged, as indicated in block 22, and if so, logging the event as indicated in block 24. 

The coupon printing process begins as indicated at 26 in Fig. 2 and 
includes reading a coupon file, as indicated at 28 to detennine the nature of the coupon 
or certificate to be printed. If the coupon is not a telephone service certificate, as 
determined in clock 30, a conventional discount coupon is involved and is printed (block 
30 32) before returning, as indicated at 34, to the processing loop of Fig. 1. If a telephone 
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service certificate is involved, as detennined in block 30, processing continues in block 
36, as further d^ailed in Fig. 3. 

If the award to be given requires an authorization code to be printed on 
the certificate, then the system will determine if the award program is to be run with 

5 pre-established authorization codes or with system graerated codes. Using pre-established 
authorization codes is the conventional method for generating certificates with 
authorization codes, and is not shown in the drawuigs. Pre-established authorization 
codes are generated by the party that will be providing the awards and are loaded into 
a database as they become available. If the award program requires the use of pre- 

0 established codes and an tmused, pre-established code exists, the system will print a 
certificate, which describes the nature of the award ami provide an authorization code, 
to be used in redeeming the award. If, upon searching the database for unused codes, 
the system determines there are none, the system will print a message at the point-of-sale 
to indicate that the award is not currently available and indicate some other means for 

5 obtaimng the award that was earned. 

If the system determines that the award program identified requires a 
system generated authorization code, the system will search for a data encryption file. 
If a data encryption file does not exist, the system will print a message at the point-of- 
sale to indicate that die award is not currently available and to indicate some other means 

0 for obtaining the award that was earned. If a data encryption file exists, the system will 
use this file to generate in real time, as indicated in Fig. 3, a ten-digit authorization code 
to be printed on the award certificate. This process begins, as indicated at 38, and first 
requires reading of a comrol file (40) that contains various parameters used in the 
generation of the certificate. A certificate sequence number obtained from the control file 

15 is incremented, as indicated in block 42, and die control file is updated, as mdicated in 
block 44. Then a ^'Ist level authorization code" is generated, as indicated in blocks 46 
and 47. This code includes a 5-digit locadon number, a 4-digit PIN number, and a check 
digit. The location number represents the number of the store at which the award or 
certificate is being distributed. This number will remain the same for that store 

)0 throughout an award program. The PIN number will change incrementally each time an 
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i } 

award certificate with a computer generated authorization code is printed. The check 
digit can be computed in a variety of ways, such as by adding all the other digits 
together and then ignoring all but the last digit of the result. This 1st level authorization 
code is then enciypted with the use of a ten-digit "key" code, as indicated in block 50. 
5 Each award program run will have a different key code associated with it. The 
matfaonatical function performed using the key code can vary. For example, each digit 
of tihe key code may be added to the respective digit of the Ist level authorization code 
without a carry, to arrive at a "2nd level authorization code". To acconq)lish adding 
without a carry, if the sum of two digits results in a number greater than 9, the first digit 
10 of the result will be ignored. 

For example, if the PIN number at store 1 was to start at 1, the 1st level 
authorization code would be: 0000100012. 

If the key code established for the award program were 1234SS9884, the 
2nd level authorization code would be: 1234659896. 
f J 15 The 2nd level authorization code is then rearraiiged using a pre-established 

rearrangement scteme, as indicated in block 52. A rearrangement scheme is a ten digit 
sequence which indicates a new ordering for each digit of the 2nd level authorization 
code. The rearrangement schemes are grouped into tables of ten schemes each. Each 
scheme of one table would have the same last digit. This last digit of the scheme 
20 indicates in which digit position of the final authorization code the table's scheme 
number will be placed. Each award program will have a specific rearrangement scheme 
table associated with it. For example, assume the following table exists to rearrange the 
2nd level authorization code obtained above: 



1 
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Rearrangement Scheme Table 
Original Position 
Scheme number: 0 1 23456789 



S 0 7354982160 

1 1598234670 

2 8412756390 

3 5941368270 

4 3794861520 
10 5 1539274860 

6 2685149730 

7 93 17482560 

8 6428915730 

9 4196283 75 0 

15 

Because the 2nd level authorization code ends with a 6, the ^stem will 
use rearrangement scheme number 6 or : 
2,6.8.5.1,4,9.7,3.0. 

Each digit in the above sequence indicates the new position of the digit in the 
20 corresponding position of the 2nd level authorization code. Therefore, the 2nd level 
authorization will be transformed into the fmal authorization code of: 
6619542839. 

This number will then be mseited mto the certificate and printed, as 
indicated in blocks 54 and 56. together with instructions to use it as authorization in 
25 redeeming the award earned. 

When tfie award certificate is presented for redemption, the awarding 
parQr wOl have to verify that the certificate bemg presented is a valid one. This will be 
done in one of two ways. First, if the award program was run using pre-established 
authorization codes, the award provider will simply review its list of authorization codes 
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to detennine if tiie one currently presented is valid. If it is valid* the award wiU be given 
and the authorization code will be stricken from the award provider's list. 

If the award program was run with system generated authorization codes, 
the award provider would perform the reverse of the procedures performed by the 

5 systm in encryptiqg the authorization code for print. In order for tliis party to perform 
the decryption procedures, ttiQr will have to be provided with the rearrangement scheme 
table and key code associated with the program as well as valid location numbers, PIN 
numbers, and the check digit mediodology. In our exanqile, tbQ award provider would 
receive the auOorization code 6619542839. Because this code has a 6 m the 0 position, 

0 the provider will look to the rearrangement scheme in the sixdi position in the 
rearrangement table they were given. This rearrangement sdieme will be used to re- 
order the authorization code back to 1234659896. Then the key code will be subtracted 
out (without borrowing from digits) to arrive at the original authorization code of 
0000100012. This code can then be verified by confirming that the check digit 

5 methodology agrees with the one which was pre-established, the location number is a 
valid one, and the PIN number is valid based on the pre-established starting number and 
increment amount. It can also be confirmed in the provider's database that this 
authorization code has not already been used for this program 

0 Setting Up a Long Distance Calling Promotion Program: 

Promotion or sales programs usmg ttie principles of the present invention 
may be implemented in a variety of ways. Preferably, and most conveniently, the 
invention can be inq)lemented using equipment already installed in retail stoie for other 
purposes. As shown in FIG. 5, a Qrpical retail store already includes a coupon or 

5 certificate printer located at each checkout terminal, and a scanner at each checkout 
tenmnal, to record which items are purchased by each customer. The store also has, in 
addition to its conventional conq)uter (not shown), an in-store computer 60 used 
exclusively for monitoring purchases and generating coupons and the like. This in-store 
PC 60 is coupled to a store computer loop 62 that connects all the checkout terminals 

0 to the store's main computer, and is also connected by an appropriate communication 
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link to a promotion program administrator's computer 64, which is located at some 
central site, remote from the stores. 

The administrator's computer 64 may be used for setting up various 
promotions, such as for the generation of discount coupons to be triggered by the 
S purchase of selected items. In the context of the present mvention, the administrator's 
computer 64 is set up to contain the following files: 

(1) a file containing in each record the number of PINs to distribute to 
each store in the program, defined by store number and chain number, 

(2) a file containing in each record textual mformation similar to that in 
10 the first file, for transmission to the telq)hone service provider 66. 

(3) a text file that is downloaded to each store computer 60 and contains 
the toll-free ''SOO" number information and PIN information, such as a starting number 
to use, as discussed above for PIN generation. In an alternative embodiment of the 
invention, encrypted PINs may be generated m the administrator's computer 64 and 

IS downloaded to the stores, rather than generated in the individual stores. 

Associated with tfie in-store conqniter 60 is a certificate printer 68, which 
prints telephone service certificates, as indicated at 70. The consumer (not shown) dials 
the toll-free 800 number printed on the certificate 70, using a telephone 72, which is 
connected to the telephone service provider 66. 

20 Set-up of a program also requires the specification of certain elements of 

the certificate layout, sach as where the "SOO** number will be printed and where the 
encrypted PIN will be printed. This aspect of the implementation is no different fit)m 
similar aspects of implen^ntation of other coupon programs. For purdiased certificates, 
instructions may be printed in any of a number of lai^guages, as selected at the time of 

25 purchase. 

If tte telephone service certificate cannot be printed for some reason (e.g., 
PIN numbers exhausted, wrong PIN file, or damaged PIN file), an alternate certificate . 
can be set iq) for printing. The philosophy in this regard is to provide the customeir with 
a mail-in certificate in the event that an actual phone certificate cannot be issued, even 
30 though tiie customer has complied with the requirements of the certificate offer. 
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PIN Generation: 

This section describes the piocess through which PINs will be generated 
in such a way that a telephone service provider will be able to validate the PINs without 
knowing in advance what those PINs actually are. 

5 

Overview of PIN Generation: 

PINs will initially be generated in the format as follows: 
lUlUumnc 

where: 

10 UIU is a preassigned five-digit location number, 
nnnn is a four-digit PIN, and 
c is a check digit (modulo 10). 

The location number llUl will remain constant throughout a promotion program. The PIN 
number nnnn will increment every time a certificate is issued. The check digit is 

IS calculated by adding all of die odd digits (starting from the right). The even digits are 
doubled imlividually, and if the result of a doubled digit is greater than 10, the digits of 
the resulting number is summed. For example, 8 would double to 16, then the digits 1 
and 6 would be added together, yielding 7. The sum of all of the doubled even digits is 
then added to the sum of all of the odd digits. The result (modulo 10) is the check digit. 

20 Once this conqxDsite PIN has been created, a ten digit "key** field will be 

added to the 10 digit PIN number without cany, that is, each digit in the key is added 
to the respective digit in the PIN. If there is a carry (the result is greater than 9), the 
carry is ignored. After the key is added, the PIN is rearranged by picking one of ten 
rearnqgement sequences based on the last number of the PIN. The rearrangement table 

25 must be created in such a way that the last digit (the one that started out as the check 
digit) is always placed in the same position so that validation can take place at the 
telephone service provider*s site. 

The validation process merely reverses this process. The telqihone 
service provider will be provided with a list of valid store location ntmibers and key 
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information for each program to use in the validation process. The sequence table will 
not need to change with each program. 

Example: 

5 If tte PIN number at location 1 was to start at 1, the actual pin number 

would be: 0000100012, where 00001 is the location, 0001 is the PIN number and 2 is 
the check digit. 

Assume for the example that tte "key" is 0123456789. The converted PIN 
would then be: 0123SS6791 
10 The lookup into the sequence table would be subscript 1 (the resultmg, 

converted check digit). If the sequence at location 1 were to be 0987654321, the actual 
PIN printed would be: 

0197655321 

In order for this process to work, all of the sequence numbers would have 
15 to end in 1. This assures that the validation process can be worked backwards. 

VaUdation: 

When the printed PIN is entered via a telephone key pad, die telephone 
service provider must perform the following calculations in order to assure that this is 
20 a valid PIN. 

Find the sequence: Since the sequence key is in an agreed upon location (position 1 

m the example) the provider must get sequence 1 from the table 

and apply it to the PIN. 

PIN 0197655321 
25 SEQ # 0987654321 

PIN 0123556791 
Remove the key: Next, the key must be removed from the PIN. (Subtraction needs 

to be done without borrowing from the other digits.) 



30 
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PIN 0123556791 
KEY 0123456789 
PIN 0000100012 

At this point, the check digit should be checked to validate the PIN. If the check digit 
5 passes, further validation should take place, e.g., to verify that die location number 
(00001) a valid location. 

More security can be added by selecting a valid raoge for the four-digit 
PIN number. One mi^ start at 100, for example, and increment by 3. To validate the 
number in this case, two additional criteria must be met: Oie number must be greats 
10 than 100, and the number minus 100 must be divisible by 3. 

Files: 

One file will reside on the store computer for each telephone calling 
program currently running. For example, the file name will be of the form: 
15 Tnunmmmmm.??? 

The file will contain the following: 

ssss, ccct mil, mmn,il,10*[ rrrrrrrrrr] , kkkkkkkkkk, nnnnnnnnnn 

where: 

20 ssss is the store number. 

ccc is the chain number. 

mil is the five-digit location number. 

nnnn is a starting number. 

is a value to increment the starting number by. 
25 HTriTiTrr is a relocation table (used to scramble the nimibers). 

kkkkkkkkkk is the deciyption/encryption key. 

nnnnnnnnnn is the program 800 number. 

More specifically, the file name may be Tmmmmnunm.CMC. The file will be a 
transmitted from the program administrator's computer to the telephone service provider. 
30 It will be generated during the creation of the individual files for the store computer. The 
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file will contain one entry (record) for each store running a particular phone program. 
Each record will look as follows: 

m,ccc,mnn,a,kkkkkkkka 

where: 

5 Ulll is die ftve-digit location number. 

ccc is the chain number. This must be cross-referenced to the five-digit 

location number so that when a PIN is redeemed, the proper recording is 
played to the consumer, 
nnnn is the starting PIN number. 

10 ii is the value each PIN will be incremented by. 

kkkkkkkkkk is the decryption key used in this program. 



Conclusion: 



IS (a) A summary of the process using the example of awards of long distance 

telephone service follows: 

A manufacturer of (Brand A) baby food wishes to provide five minutes 
of long distance telephone service to each consumer that purchases more than three jars 
of a competitor's (Brand B) baby food. A consumer enters a retail establishment 

20 Oocation 00001) and purchases a cart full of groceries which includes five jars of Brand 
B baby food. The point-of-sale monitoring system described m U.S. Patent No. 
4,723,212 to Mindrum et. al. identifies the first jar of Brand B baby food as being 
related to an award program that is currently in process at this location. It further 
identifies that the program is a tdq>hone service award and requues the purchase of four 

25 or more jars of Brand B baby food. The monitoring system logs this purchase and the 
additional purchases of Brand B baby food until the requirements of the award program 
have been met. If the requirements were not met, the purchases would be ignored and 
a certificate would iK>t print for this award program. If the requirements have been met, 
the system initiates an award process which delivers the wishes of the Brand A 

30 manufacturer. It retrieves the structure which is required on the resulting award 
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certificate and completes fields which require unique input from the system. For this 
program, the unique information required includes a 1-800 telephone number to call to 
activate the award and the authorization number needed for proof of validity. The system 
retrieves the propCT 1-800 telephone number for this award and location and determines 
5 that (in this example) the authorization code must be generated by the system. The 
system identifies the award currently earned as the first award at this location and 
therefore assigns the 1st level authorization code: 0000100012 discussed above. Using 
the key code and rearrangement table discussed above, the system arrives at the final 
authorization code 6619542839 and mserts this code in the proper field of the award 
10 design. The Mindrum system then causes the printer at the pomt-o^sale to print the 
award certificate so it can be handed to the consumer with her receipt tape when 
checkout is complete. The consumer receives a certificate which may contain the 
following text: 

''Congratulations! 

15 You've just been awarded five minutes of free long distance telephone service 

. Compliments of Brand A baby food 
To activate your free service sinq)ly dial: 1 (800) 123-4567 
BataT authorization code : 6619542839 when prompted." 

20 The consumer can then immediately gain access to a telephone, dial the 

800 number, respond to axiy pre-recorded advertising messages activated by this number 
and then enter die authorization code. Once the authorization code is entered, the 
telq)hone service provider's system can perform the decryption procedures outlined 
above to verily that the award is valid and has not already been used. Once this 

25 procedure is performed, which would take a matter of seconds, the free service is 
activated and the certificate is discarded by the consumer. 

The consumer has received the same benefit as she would have received 
if the award program were run using the traditional credit or debit card methods. 
However, ttere is no lag time between earning the award and receiving the benefit. The 

30 costs associated with manufacturing and delivering plastic cards are avoided, as well as 
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the security concerns related to the handling of such cards. Hiere are no shortages or 
excess inventories and, if the ital-time generation of authorization codes is used, there 
is no need to wait for codes from the service provider prior to delivering certificates. 

5 (b) In an alternative mq)lementation of the invention, value certificates, such 

as for telq)hone long-distance service, are generated in response to requests to purchase 
such certificates. The method and apparatus for generatmg a PIN for the certificate are 
die same as described for die award generation example. The principal difierei»:e is the 
manner in which the certificate generation is triggered. For die award, one or more 

10 purchasu^ events are detected and used to trigger the generation of the certificate. For 
the purchased certificate, the triggering event is the consumer's request to purchase a 
certificate of a selected value or telephone tune. Another difference is that the award 
certificate carmot normally be extended in time or value, but the purchased certificate 
can be ''recharged" by adding more value, such as through use of a credit card. Other 

IS differences pertain to the manner in which the certificate redemption stage is imple- 
mented. Promotional messages directed to die consumer are typically supplied by the 
certificate retailer* in contrast to the manufacturer messages usually directed to the 
consumer who wins a promotional award. In most unportant respects, however, the two 
types of certificates are generated in exactly the same way and have similar advantages. 

20 The most important advantages of die invention arise from its generation 

of an authorization code or PIN immediately prior to distribution of a certificate. 
Security problems arismg from preprinting PINs on certificates or cards, or from 
maintaining an inventory of PINs, are completely eliminated. Moreover, no time is 
wasted in having to activate certificates at the time of distribution, because each 

25 certificate is printed witii a newly generated, unique, active PIN or authorization code. 
A related advantage is diat access numbers and other user information can be easily 
updated as die need arises, because the mfonnation is not preprinted on the certificates. 
Anodier advantage is diat die PIN, when decrypted, contams the identify of the location 
where die certificate is printed and distributed. This mfonnation can be used to provide 
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an audit trail, for accurate tracking of certificate usage, and to aid tlie detection of any 
fraudulent use of the certificate. 

It will be appreciated that the invention also has application to other types 
of promotions and sales activities, and is not limited to the distribution of telephone 
5 calling time certificates. More generally, the invention is applicable to any situation in 
which it is desired to distribute valuable credit or services in a secure manner, such that 
the credit or services can only be claimed or redeemed by means of a personal 
identification code. Importantly, the invention provides a way of encrypting personal 
identification codes in real time at the point of their generation, theieby effectively 
10 precluding the possibility that the codes may be lost or stolen between their point of 
generation and their point of use. Moreover, the invention avoids the need for creation 
and maintenance of a database of valid personal identification codes. 

1 ) 
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CLAIMS 

What is claimed is: 



1 L A method for generation of a certificate providing valuable credit or 

2 services, the method comprising the steps of: 

3 detecting the occurrence of an event ttiat has been preselected as an event 

4 to trigger the generation of a certificate of value for distribution to a customer of a retail 

5 store; 

6 generating a certificate of value in response to the foregoing detecting 

7 step; 

8 generating a unique and seoningly random auttiorization code at about the 

9 same time that the certificate is generated; and 

10 including the authorization code in the certificate, wherein tlie certificate 

11 is self-validating and lias no existence or value prior to its generation, viiereby there is 

12 no requiremrat to keq> an inventory of either ceitificates or authorization codes prior to 

13 dieir distribution. 

1 2. A metiiod as defined in claim 1, wherem: 

2 die stq> of generating a unique and seemingly random authorization code 

3 includes forming a unique code and encrypting it to obtain the unique and seemingly 

4 random audiorization code. 

1 3. A method as defined in claim 2. wherein: 

2 die step of forming a unique code includes combining a unique sequence 

3 number with other codes. 

1 4. A method as defined in claim 3, wherein die step of encrypting 

2 includes: 

3 combining the unique code with a key code; and 
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4 positionally reamnging the code obtained from the combming step« to 

5 obtain the unique and seemmgly random authorization code. 

1 5. A method as deflned in claim 1, and ftuther comprising the step of: 

2 using the authorization code on the certificate to obtain a valuable service* 

1 6. A method as defined in claim 2, and fiuther comprising the step of: 

2 validatmg die authorization code vfben die certificate is presented to claim 

3 its value, wherein the validating step includes deciypting the authorization code to 

4 recover the unique code, and then verifying that the unique code is valid. 

1 7. A method as defined in any of claims 1*6, wherein: 

2 the step of detecting the occurrence of an event includes detecting the 

3 purchase of at least one triggering product; and 

4 ttie certificate is in the nature of a reward for purchasing die triggering 

5 product. 

1 8. A method as defined in any of claims 1-6, wherein: 

2 the step of detecting the occurrence of an event includes detecting a 

3 request to purchase a selected certificate of value. 

1 9. Apparatus for generating a certificate providing valuable credit or 

2 services to a customer of a retail store, the apparatus comprising: 

3 an in-store computer to detect the occurrence of an event that has been 

4 preselected to trigger the generation of a certificate of value for distribution to a 

5 customer; 

6 a certificate generator for generating a certificate in response to the 

7 detection of a triggering event; and 

8 an authorization code generator, for generating a unique and seemingly 

9 random authorization code at about the same time that the certificate is generated; 
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10 wherein the authorization code is iiK:luded in the generated certificate, 

11 which becomes self- validating on generation, and whereby there is no requirement to 

12 keep an inventory of either certificates or authorization codes prior to their distribution. 

1 10. Apparatus as defined in claim 9, wherein the authorization code 

2 generator includes: 

3 encryption logic, for encrypting a unique code to obtain the unique and 

4 seemingly random authorization code. 

1 U. Apparatus as defined in claim 10, wherein the encryption logic 

2 includes: 

3 a code combiner, for combining the unique code widi a key code to obtain 

4 a first-level enciypted code; and 

5 code sequence rearrangement logic, for changing the sequence of digits 

6 in the first-level encrypted code» to obtain the seemiogly random authorization code. 

1 12. Apparatus as defined in claim 10, and further comprising: 

2 validation logic,* for decrypting the authorization code to recover the 

3 unique code, and then verifying that the unique code is valid. 

1 13. ^paratus as defined in any of claims 9-12, wherein: 

2 the certificate generator operates in response to the purchase of a 

3 preselected triggering product, and generates a reward certificate. 

1 14. Apparatus as defined in any of claims 8-12, wherein: 

2 the certificate generator operates in response to a request to purchase a 

3 certificate of value. 
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1 15. A method for generation of a toten evidencing prepayment for a 

2 service* the method comprising the steps of: 

3 detecting the occurrence of an event that has been preselected to trigger 

4 generation of a token of prepayment for distribution to a consumer; and 

5 generating the token of prepayment token m response to the foregoing 

6 detecting step, wherein the step of generating the token of prepayment includes 

7 generating a unique and seemingly random authorization code for mclusion as part of the 

8 token; 

9 wherein the token is self-validating and has no existence or value prior to 

10 its generation, and whereby there is no need to maintain an inventory of tokens or 

11 authorization codes. 
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